Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
DragonForce ransomware operators used a custom malware named Backdoor.Turn to hide command-and-control (C2) traffic within Microsoft Teams' TURN relay infrastructure. This technique leverages legitimate Microsoft Teams relay servers to mask malicious communications, making detection more difficult. The attack involved initial exploitation of an unknown SQL/MSSQL flaw, followed by privilege escalation using vulnerable drivers and sideloading techniques. Backdoor.Turn enables various malicious activities including command execution, network scanning, credential theft, and reconnaissance before deploying ransomware. The campaign demonstrates sophisticated tradecraft and evasion tactics.
AI Analysis
Technical Summary
DragonForce ransomware employed a Go-based remote access trojan called Backdoor.Turn that abuses Microsoft Teams' TURN relay servers to conceal C2 communications. By obtaining anonymous Teams visitor tokens and routing traffic through legitimate TURN relays, the malware hides its network activity within trusted Microsoft infrastructure. The attack chain began with exploitation of an unknown SQL/MSSQL vulnerability, followed by deployment of malicious DLL sideloaded via legitimate executables, persistence mechanisms, and kernel-level privilege escalation using multiple vulnerable drivers (including Huawei’s HWAuidoOs2Ec.sys and others with known CVEs). The malware's capabilities include command execution, process creation, network reconnaissance, TLS certificate capture, LDAP/Active Directory enumeration, website title collection, and browser credential theft. After reconnaissance and evasion, data exfiltration and ransomware deployment occurred. This is the first known in-the-wild malware abusing Microsoft Teams TURN relays for C2 communications, illustrating advanced evasion and stealth techniques.
Potential Impact
The threat enables attackers to hide command-and-control traffic within legitimate Microsoft Teams relay infrastructure, complicating detection by security tools. The attackers achieved kernel-level privileges to disable security products and maintain persistence. The malware facilitates extensive reconnaissance, credential theft, and network scanning, leading to data exfiltration and deployment of DragonForce ransomware, resulting in system encryption and operational disruption. The use of legitimate infrastructure for C2 communications increases the difficulty of identifying malicious activity, potentially prolonging attacker dwell time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Defenders should monitor for indicators of compromise published by Symantec related to Backdoor.Turn and DragonForce activity. Network defenders should be aware of potential abuse of Microsoft Teams TURN relay infrastructure for C2 traffic. Employ detection rules targeting anomalous use of Teams TURN tokens and relay connections. Investigate and remediate vulnerable drivers exploited for privilege escalation. Since this technique abuses legitimate Microsoft infrastructure, enhanced monitoring of Teams traffic and endpoint behavior is recommended. No official patch or fix is indicated in the provided information.
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
Description
DragonForce ransomware operators used a custom malware named Backdoor.Turn to hide command-and-control (C2) traffic within Microsoft Teams' TURN relay infrastructure. This technique leverages legitimate Microsoft Teams relay servers to mask malicious communications, making detection more difficult. The attack involved initial exploitation of an unknown SQL/MSSQL flaw, followed by privilege escalation using vulnerable drivers and sideloading techniques. Backdoor.Turn enables various malicious activities including command execution, network scanning, credential theft, and reconnaissance before deploying ransomware. The campaign demonstrates sophisticated tradecraft and evasion tactics.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DragonForce ransomware employed a Go-based remote access trojan called Backdoor.Turn that abuses Microsoft Teams' TURN relay servers to conceal C2 communications. By obtaining anonymous Teams visitor tokens and routing traffic through legitimate TURN relays, the malware hides its network activity within trusted Microsoft infrastructure. The attack chain began with exploitation of an unknown SQL/MSSQL vulnerability, followed by deployment of malicious DLL sideloaded via legitimate executables, persistence mechanisms, and kernel-level privilege escalation using multiple vulnerable drivers (including Huawei’s HWAuidoOs2Ec.sys and others with known CVEs). The malware's capabilities include command execution, process creation, network reconnaissance, TLS certificate capture, LDAP/Active Directory enumeration, website title collection, and browser credential theft. After reconnaissance and evasion, data exfiltration and ransomware deployment occurred. This is the first known in-the-wild malware abusing Microsoft Teams TURN relays for C2 communications, illustrating advanced evasion and stealth techniques.
Potential Impact
The threat enables attackers to hide command-and-control traffic within legitimate Microsoft Teams relay infrastructure, complicating detection by security tools. The attackers achieved kernel-level privileges to disable security products and maintain persistence. The malware facilitates extensive reconnaissance, credential theft, and network scanning, leading to data exfiltration and deployment of DragonForce ransomware, resulting in system encryption and operational disruption. The use of legitimate infrastructure for C2 communications increases the difficulty of identifying malicious activity, potentially prolonging attacker dwell time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Defenders should monitor for indicators of compromise published by Symantec related to Backdoor.Turn and DragonForce activity. Network defenders should be aware of potential abuse of Microsoft Teams TURN relay infrastructure for C2 traffic. Employ detection rules targeting anomalous use of Teams TURN tokens and relay connections. Investigate and remediate vulnerable drivers exploited for privilege escalation. Since this technique abuses legitimate Microsoft infrastructure, enhanced monitoring of Teams traffic and endpoint behavior is recommended. No official patch or fix is indicated in the provided information.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/","fetched":true,"fetchedAt":"2026-06-16T10:30:26.169Z","wordCount":833}
Threat ID: 6a3125c20b89be688891dd3d
Added to database: 6/16/2026, 10:30:26 AM
Last enriched: 6/16/2026, 10:30:39 AM
Last updated: 6/16/2026, 12:55:49 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.